CPSP – Certified Payment Security Practitioner
Introduction
Payment Card Industry Data Security Standard (henceforth termed as PCI DSS) is developed to promote and facilitate payment card holder data security. The standard applies to business entities suchasbutnotlimitedtomerchants,paymentprocessors,issuers,acquirers,serviceproviderswhich store, process and/or transmit payment carddata.
Importance of PCI DSS
The standard works as an enabler for organizations to implement security controls to provide reasonable data security assurance while processing payment card transactions. The PCI DSS compliance guides organizations by providing a set of baseline technical and operational security controls which can be integrated as a “business as usual (BAU)” process in the organization.
The way payment ecosystem and its associated technology are changing it is becoming massively important for organizations to have a “Sustainable Payment Card Security Compliance Program” and PCI DSS compliance helps you by providing a much-needed framework to build a credible payment card data security program.
Objective of PCI DSS Compliance Program
- Building a framework for securing payment carddata
- Ensuring security and not justcompliance
- Taking a risk-based approach to implement securitycontrols
- Winning end customertrust
- Going beyond the traditional checklist-based approach forsecurity
In line with these objectives, we are pleased to announce a 2-day training on “Certified Payment Card Industry Data Security Implementer”.
Why CPSP?
In the past few years we have seen massive breaches at organizations such as Target and Equifax. In manycases,theseorganizationswerecomplianttoPCIDSS.Yet,breacheshappenedandinmostcases the breach was notified to the impacted company by an outside agency. Investments in complying to these standards are in addition to technology investments made by companies in anti-viruses, firewalls,securityincidentandeventmanagementsystems,etc.Thetraditionalcheckboxapproachto cybersecurity no longerworks.
It is important that organizations realize that the cybersecurity journey goes far beyond just compliance to any given standard. Organizations should also recognize that even after significant investments breaches can still occur.
The training will cover the entire payment ecosystem and the latest PCI DSS standard which will help participants in understanding the intent and objective of each PCI DSS requirement. The training will also provide participants a platform where they can understand a PCI QSA’s (Payment Card Industry Qualified Security Assessor) perspective of validating a PCI DSS requirement.
The training will provide participants a hands-on experience of implementing PCI DSS compliance program through case studies and examples.
Who Should Attend?
- Chief Information SecurityOfficers
- Compliance Officers
- Information TechnologyManagers
- Developers
- Information Systems and SecurityImplementers
- Other securityprofessionals
Table of Contents
- PART 1:
- Basics of Payment Ecosystem: Card Data (Track data, EMV Chip), Entitiesinvolved
- Payment Transaction flow: Issuing and Acquiring (Card Present and Card Not Present Transactions)
- Stages of Payment Processing: Authentication, Authorization, Clearing, Settlement, Chargeback, Refundetc.
- Various Payment Channels: ATM, POS, Ecom, Mobile App, MOTO, NFC orContactless
- PCI Perspective on architecture: Good and Bad: Inhouse Arch., Third party Cloud Architecture,Virtualization
- What is PCIDSS
- Who is PCISSC
- Responsibilities of various entities: PCI SSC, PCI QSAs, PCI ASVsetc.
- PCI DSS Compliance Mandate and Applicability of PCIDSS
- Levels of Service Provider andMerchants
- Various SAQs andApplicability
- Approach for PCI DSS Implementation and Certification: “The PhasedApproach”
- PCI DSS and Card Data Storage Mandate: AGlimpse
- PART2:
- Overview PCI DSS v3.2: 6 objectives and 12Requirements
- Overview of PA-DSS
- Overview of PCIPTS
- Overview of PCIP2PE
- Integration Model for Various PCIStandards
- PCI DSS Scoping and NetworkSegmentation
- Scoping vs Sampling: What iswhat?
- PCI DSS Risk Assessment Methodology andApproach
- PCI DSS and ISO 27001: AComparison
- PART3:
- Implementing PCI DSS Requirements: Detailed discussion on each requirement and sub requirement of PCI DSSv3.2
- QSA Perspective for each PCI DSS requirement and BestPractices
- PCI DSS Using Open Source tools: Suggestion on available tools to meet PCI DSS requirements
- Appendix A1 andA2
- Designated entities supplemental validation(DESV)
- Overview and implementation practices of CompensatingControls
- PART4:
- Annual PCI DSS Compliance Management: The PCI DSSCalendar
- An Approach to Handle suspected card databreach
- PCI DSS Resources and KnowledgeLibrary
- What to look for in a PCIQSAC